[EPEL-devel] [Proposal] Converge EPEL and CBS

Karsten Wade kwade at redhat.com
Wed Sep 23 21:03:44 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/23/2015 09:49 AM, Stephen John Smoogen wrote:
> On 23 September 2015 at 10:31, Matthew Miller
> <mattdm at fedoraproject.org> wrote:
>> On Tue, Sep 22, 2015 at 08:45:32PM -0700, Karsten Wade wrote:
>>> AIUI, the concern is that what is labeled/supported by the
>>> CentOS Project as 'CentOS' needs to go through the CentOS
>>> Project QA system. We simply cannot blindly accept builds from
>>> outside of the CentOS builders just on say-so. (Compare to
>>> RPMfusion et al -- putting that repo in as a default for Fedora
>>> users is more than a legal issue, it's a
>>> QA/test/build/sign/release issue.)
>> 
>> I can understand that with "out of the family" sources, but with
>> Red Hat now sponsoring CentOS as well as Fedora.... can we build
>> a better bridge of trust, here?
>> 
> 
> I thought what Karsten was asking for was "Trust but Verify". They 
> aren't going to blindly trust RPMs for CentOS more than we are
> going to blindly trust RPMs from COPRs in the build system {I think
> Copr is a better analogy than RPMfusion as that gets covered in
> legal sauce.}. The packages need some sort of testing which would
> actually be more than what we have currently in EPEL. {ssssh I
> didn't say this.}
> 
> There are multiple ways they can trust but verify. * Rebuild the
> package in the CBS system and get their CI to run tests as part of
> that. * Run the CI against the packages which depending on how the
> CI is intertwined with Koji may be harder than it sounds. * Help
> get a similar CI stood up for EPEL and trust those results.

Thanks, yes, this is an accurate explanation of what I meant to say. :)

I also haven't talked with KB about this in a while, he's out of
pocket for the next few weeks, so it may be a bit until we can get his
input.

- - Karsten
- -- 
Karsten 'quaid' Wade        .^\          CentOS Doer of Stuff
http://TheOpenSourceWay.org    \  http://community.redhat.com
@quaid (identi.ca/twitter/IRC)  \v'             gpg: AD0E0C41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlYDE7AACgkQ2ZIOBq0ODEE0ewCePKKKuRTn90ZboHQjuhBaTWE3
m84AnjnljXIkWGYwyJ1d0gjDIbFd4l6q
=Fkd4
-----END PGP SIGNATURE-----

More information about the epel-devel mailing list